Security Groups don't support protocol 4 (ip-in-ip) and returns 500

Bug #1716045 reported by German Eichberger on 2017-09-08
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
High
Brian Haley

Bug Description

When trying to create a security group with protocol 4 Neutron returns 500:

stack@octavia:~/devstack$ openstack security group rule create --protocol 4 b30911a1-558c-41fe-89fd-915c0da030cf
Error while executing command: Internal Server Error (HTTP 500) (Request-ID: req-d1e3eb48-0799-4c7b-b4ac-36501c221842)

I tried this on devstack so it should be pretty easy to reproduce. Ideally I would like to see IP-in-IP supported but a better error message might be a first step.

Brian Haley (brian-haley) wrote :

The actual error is:

  ValueError: Field value 4 is invalid

Which is most likely due to the fact that we're validating againt IP_PROTOCOL_MAP from neutron-lib, which doesn't include IP, just upper-layer protocols.

A fix for IP-in-IP, or more generally, IPvX-in-IPvX, would take an investigation to determine what the iptables and OVS support is for it and how to program it into the ruleset. We'd also have to check that conntrack supports it.

Changed in neutron:
status: New → Confirmed
importance: Undecided → Wishlist
Brian Haley (brian-haley) wrote :

I marked this Wishlist just because it's maybe not as simple as tweaking the allowed IP protocol list to make it work.

Michael Johnson (johnsom) wrote :

This is a bug as it is documented that neutron supports 0-255 for the protocol integer. We also have a liberty cloud were it works, so this might be a regression.

Changed in neutron:
importance: Wishlist → High
Michael Johnson (johnsom) wrote :

It should not be returning 500 either, it should be a 400 if it was an invalid parameter.

Attaching the stacktrace.

Fix proposed to branch: master
Review: https://review.openstack.org/503198

Changed in neutron:
assignee: nobody → German Eichberger (german-eichberger)
status: Confirmed → In Progress

Fix proposed to branch: master
Review: https://review.openstack.org/511561

Changed in neutron:
assignee: German Eichberger (german-eichberger) → Brian Haley (brian-haley)

Reviewed: https://review.openstack.org/511561
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=7ff492c5bb9ce9f24f12db40c8e3a33beb47f87b
Submitter: Zuul
Branch: master

commit 7ff492c5bb9ce9f24f12db40c8e3a33beb47f87b
Author: Brian Haley <email address hidden>
Date: Thu Oct 12 15:25:26 2017 -0400

    Support protocol numbers in security group API

    Somewhere along the way we broke supporting numbers in
    the security group API that were not in our known list
    of protocols. In order to fix this properly we must
    use the correct arguments when using iptables-save, as
    it could use a name instead of a number, or vice-versa.
    Determined the list of mappings by doing:

     for num in {0..255}; do iptables -A INPUT -p $num; done
     # iptables-save

    Change-Id: I5895250b47ddf664d214cf085be693c3897e0c87
    Closes-bug: #1716045
    Closes-bug: #1716790

Changed in neutron:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/503198
Committed: https://git.openstack.org/cgit/openstack/neutron-lib/commit/?id=f4c4b0f20a796caf2133f6029ca3455382cd50ad
Submitter: Zuul
Branch: master

commit f4c4b0f20a796caf2133f6029ca3455382cd50ad
Author: German Eichberger <email address hidden>
Date: Tue Sep 12 15:18:46 2017 -0600

    Adds IPinIP protocol

    Neutron doesn't support the IP-in-IP protocol by name in
    security group rules. With this change a user can now
    declare the IP-in-IP protocol by using the name 'ipip'

    Note: This doesn't fix an underlying problem
    with the Neutron protocol number validator, but
    serves as a work around for users wanting to use
    the IP-in-IP protocol.

    Partial-bug: #1716045

    Change-Id: I18e5e42b687e12b64f5a9c523a912c8dd1afa9d2

This issue was fixed in the openstack/neutron 12.0.0.0b2 development milestone.

Reviewed: https://review.openstack.org/532188
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d16f69b3ae925bc4f48f75c84798a8fe2198aa2e
Submitter: Zuul
Branch: stable/pike

commit d16f69b3ae925bc4f48f75c84798a8fe2198aa2e
Author: Brian Haley <email address hidden>
Date: Thu Oct 12 15:25:26 2017 -0400

    Support protocol numbers in security group API

    Somewhere along the way we broke supporting numbers in
    the security group API that were not in our known list
    of protocols. In order to fix this properly we must
    use the correct arguments when using iptables-save, as
    it could use a name instead of a number, or vice-versa.
    Determined the list of mappings by doing:

     for num in {0..255}; do iptables -A INPUT -p $num; done
     # iptables-save

    Change-Id: I5895250b47ddf664d214cf085be693c3897e0c87
    Closes-bug: #1716045
    Closes-bug: #1716790
    (cherry picked from commit 7ff492c5bb9ce9f24f12db40c8e3a33beb47f87b)

tags: added: in-stable-pike

Reviewed: https://review.openstack.org/532460
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=8442a144a230964ee88cfee43927eb1b1c94ee03
Submitter: Zuul
Branch: stable/ocata

commit 8442a144a230964ee88cfee43927eb1b1c94ee03
Author: Brian Haley <email address hidden>
Date: Thu Oct 12 15:25:26 2017 -0400

    Support protocol numbers in security group API

    Somewhere along the way we broke supporting numbers in
    the security group API that were not in our known list
    of protocols. In order to fix this properly we must
    use the correct arguments when using iptables-save, as
    it could use a name instead of a number, or vice-versa.
    Determined the list of mappings by doing:

     for num in {0..255}; do iptables -A INPUT -p $num; done
     # iptables-save

    Change-Id: I5895250b47ddf664d214cf085be693c3897e0c87
    Closes-bug: #1716045
    Closes-bug: #1716790
    (cherry picked from commit 7ff492c5bb9ce9f24f12db40c8e3a33beb47f87b)

tags: added: in-stable-ocata

This issue was fixed in the openstack/neutron 10.0.5 release.

This issue was fixed in the openstack/neutron 11.0.3 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Bug attachments